Applying a zero trust approach to security within an organization continues to be a major focus point. We look at resources and member views that examine the value of zero trust based on real-world experience.

As the security threat landscape evolves and expands at an exponential rate, methods and strategies that can provide a broad and reliable level of access security are of paramount importance. A spate of cyber attacks this year have been based on gaining access to a network or key systems to access or copy data. It is a contributing factor for the growth in zero trust security models within organizations.

Zero trust defines boundaries by assuming no implicit trust in any entity, whether inside or outside the network perimeter. It is about verifying identity and continuously validating the security posture of devices, users, and applications before granting access, regardless of location inside or outside the core physical infrastructure.

Using Zero Trust to Bolster Defense

“The old way of applying Cybersecurity in organizations can be categorized as the Castle-and-Moat methodology of protection,” said Byron Beasley, CISSP. “Zero trust has taken this dynamic and changed it to a “Never Trust, Always Verify,” methodology. What this means is that no longer is it OK to trust either incoming or inside users/devices that have passed the checks at the perimeter, they now must be periodically or continuously challenged/authenticated to verify not only that they are who they say they are but also have the need to be there.”

Tackling the location challenge is something that Raoul Hira, CISSP, discussed in his article Enhancing Cyber Maturity with Zero Trust: A Practical Guide to Defense. In this piece, Hira has shared many of his own experiences of deploying and using zero trust principles to establish a more mature and robust defensive strategy. In particular, he looks at the role zero trust can play in providing effective security controls for remote workers.

With the pronounced global shift towards remote and hybrid working during and following the COVID-19 pandemic, the role of zero trust has become more pronounced, as organizations look to find ways of tightening security while also ensuring that remote users can still access essential data and systems. “The shift to remote work has expanded traditional security perimeters and introduced vulnerabilities that are less prevalent in controlled office environments. In my experience, remote work settings often lack rigorous security measures, making them prime targets for attackers,” Hira explained.

Addressing the deficiencies in security in a remote working environment can also require additional effort to overcome resistance and obtain stakeholder buy-in from the remote users. “It involves challenging long-held beliefs about trust and verification, which can be met with resistance from stakeholders accustomed to traditional security,” noted Taher Amine Elhouari, CISSP, CC

Building a Long-Term Zero Trust Architecture

An effective zero trust approach requires strict verification for everyone trying to access resources, regardless of whether they’re inside or outside the network. To achieve this requires a mix of processes, policies, technologies and adherence.

Nitin Uttreja, CISSP, in the article Zero Trust Architecture: Building a Resilient Cybersecurity Framework with Key Technologies and Strategies, discussed some of the key solutions to consider when implementing a zero trust approach. These include network access control, micro-segmentation, next-generation firewalls and privileged access management. “To transition your organization to zero trust, use the functionality of your existing security solutions and consider additional technologies for a comprehensive architecture. Embracing zero trust principles and architecture, you can proactively secure digital assets and sensitive data, ensuring resilience against evolving cyber threats,” he said.

There is also the cultural consideration. Zero trust can represent a fundamental shift in usage and authentication, requiring users to embrace different ways of verifying themselves at points through the IT infrastructure, rather than trying to circumvent them. ISC2 member Baysah Guwor, CC noted: “The primary barrier organizations face when implementing zero trust is often cultural resistance and organizational apathy. Shifting from traditional perimeter-based security models to a zero trust architecture requires a fundamental change in mindset, which can be challenging for established processes and hierarchical structures to adapt to.”

Building on Zero Trust Technology with Education

Zero trust is a model and a strategy, not a product. Key to the successful implementation is education and training, to ensure that the technology is deployed and used effectively. “Participation in zero trust continuing education is essential for all stakeholders involved in cybersecurity, from IT professionals to C-suite executives,” said Guwor.

“The value of having representatives from your organization participate [in zero trust training] lies in fostering a comprehensive understanding of zero trust principles and their implications for security posture in order to raise more practical awareness,” added Elhouari.

Traditional network architecture was designed around the concept of a perimeter network, and the assumption that if you are physically within it or successfully pass the perimeter, you are meant to be there and largely given unfettered access and movement. With the shift towards distributed cloud computing, remote working and digital supply chains requiring suppliers to connect systems, the network perimeter is harder to rely on, necessitating a future where constant verification and the suspension of assumed trust is necessary.